How Merchants Can Become PCI-DSS Certified

Compliance Simplified: Follow These 4 Steps to Achieve PCI DSS Certification

For all organizations that process payment cards, the Payment Card Industry Data Security Standard (PCI-DSS) certification is high up the data security and compliance priority list. The PCI-DSS is an information security standard defined for organizations that handle branded credit card transactions.

In effect, the PCI Data Security Standard aims to serve as a foundation of controls, recommending a baseline level of security for merchants and service providers who store, process, and transmit payment card data.

The term “standard” in the PCI Data Security Standard could make you believe that implementing PCI compliance requirements is a “good to have” rather than a “must have or else.” In reality, it is as good as a regulation.

Although the PCI Council has no legal authority to compel compliance, if you haven’t implemented the PCI compliance requirements and do not hold the PCI-DSS certification, the credit card companies wouldn’t let you process their payment cards. In fact, you can be fined as well. So, in effect, if you want to process branded payment cards then you must get the PCI-DSS certification.

In 2004, credit card companies – Visa, MasterCard, Discover, American Express, and JCB International – put their heads together to release the PCI-DSS version 1.0 as the first payment card industry standard to ensure that online sellers have the systems and processes in place to prevent a payment card data breach. All these companies together formed the Payment Card Industry Security Standards Council (PCI SSC) in 2006.

The council manages the ongoing evolution of the Payment Card Industry Data Security Standard. The council has released various versions of PCI Data Security Standard since 2006 among which the PCI-DSS 3.2.1, released in May 2018, marks the latest version.

The PCI Council defined the Payment Card Industry Data Security Standard as a set of 12 significant requirements and sub-requirements that contain numerous directives against which businesses can measure their own payment card security procedures and guidelines. The 12 requirements each have multiple sub-requirements that when factored in lead to a full-blown, comprehensive set of control requirements that your organization needs to comply with.

Managing to get a PCI compliance certification and then maintaining it can be time-consuming and complex. But there are pathways to follow that will make the process easier as you move forward to protect your cardholders. Here are the 4 steps:

 

Step One: Learn the 12 PCI Certification Standards

There are mainly 12 PCI-DSS requirements distributed between six broader goals, all necessary for an enterprise to obtain the PCI compliance certification. Overall, you need to comply with a total of 12 requirements and roughly 251 sub-requirements outlined in the PCI-DSS version 3.2.1 documentation to fully address the PCI compliance certification requirements. A high-level summary of the PCI compliance requirements is shown in the table below:

 

Need help with PCI Compliance?

ERMProtect's Weekly Newsletter

Get a curated briefing of the week's biggest cyber news every Friday.

Stop Phishing Attacks with ERMProtect's Security Awareness Training

Turn your employees into a human firewall with our innovative Security Awareness Training.

Our e-learning modules take the boring out of security training.

Control Objectives

PCI DSS Requirements

Build and Maintain a Secure Network
  1. Install and maintain a firewall configuration to protect cardholder data.
  2. Do not use vendor-supplied defaults for system passwords and other security parameters.
Protect Cardholder Data
  1. Protect stored data.
  2. Encrypt transmission of cardholder data across open, public networks.
Maintain a Vulnerability Management Program
  1. Use and regularly update anti-virus software.
  2. Develop and maintain secure systems and applications.
Implement Strong Access Control Measures
  1. Restrict access to cardholder data by business need-to-know.
  2. Assign a unique ID to each person with computer access.
  3. Restrict physical access to cardholder data.
Implement Strong Access Control Measures
  1. Track and monitor all access to network resources and cardholder data.
  2. Regularly test security systems and processes.
Maintain an Information Security Policy
  1. Maintain a policy that addresses information security.

Step Two: Identify Your Organization’s Compliance Requirements

As described by the PCI Council, there are various categories of businesses and each one of them has different sets of requirements.
  • First, you need to determine your PCI-DSS validation requirements, which vary depending on the volume of transactions processed by your organization annually. Below is a high-level summary of the PCI compliance levels:
  • Level 1: Transactions per year > 6 Million

  • Level 2: Transactions per year: 1 Million – 6 Million

  • Level 3: Transactions per year: 20,000 – 1 Million

  • Level 4: Transactions per year < 20,000

  • For smaller merchants (who fall under levels 2 and 3), you need to fill out a Self-Assessment Questionnaire (SAQ) to attest that your organization has implemented the security measures required by the PCI Data Security Standard. It is recommended that Level 4 merchants also fill out the SAQ, but it is not required. In case you are not sure which questionnaire applies to your organization, contact your payment card vendor or your acquiring bank and they should be able to guide you. There are mainly two components to the Self-Assessment Questionnaire:

  • A questionnaire corresponding to the PCI Data Security Standard requirements designed especially for merchants and service providers. Here is the guideline on how to fill the Self-Assessment Questionnaire and here you can find the list of supporting documents you need to present.

  • An Attestation of your PCI-DSS certification based on eligibility and an appropriate Self-Assessment documentation. The Attestation of Compliance (AOC) is essentially a form that attests to the results of a PCI compliance audit or assessment. An appropriate attestation essentially includes the SAQ that applies to your organization.

  • For large merchants (who are considered level 1), you need to hire a Payment Card Industry Qualified Security Assessor (PCI QSA) to conduct an audit identifying that your organization meets the security standards. PCI QSAs are specially trained and certified cybersecurity professionals who are deeply knowledgeable about the security standards required for an organization to become PCI certified. The merchants who fall under level 1 of PCI-DSS compliance also need to complete an annual Report on Compliance (ROC). A Report on Compliance is also completed by the PCI QSA after s/he has completed your annual PCI compliance audit.
 

Step Three: Ease Your Pathway to PCI Certification through Preparation

Now that you are aware about the PCI compliance requirements and the PCI compliance levels, the next thing on your mind should be to find out precisely what you need to do to operationalize the requirements that will get your organization the PCI-DSS certification. The whole process could be a bit overwhelming, so to make it jargon-free, we have broken down the operational requirements into parts. Let’s dig deeper into what each of these are:

  • Risk Assessment/Audit/Security Assessment: Since the goal of the PCI-DSS is to minimize the risk of a payment card data breach, it is vital for all organizations to conduct a detailed risk assessment of their own environment. The organization should aim to determine the threats and vulnerabilities to payment card assets and services performed.

  • Policies and Procedures: The risk assessment will give a clear view of your payment card related security threats and risks and can help you determine the security posture of your organization. This, in turn, will help you develop a well-defined set of policies and procedures that serve as the foundation for a large percentage of the PCI-DSS certification requirements. Policies and procedures need to be designed to address the requirements but they also need to be tailored to business processes and security controls within the organization. Remember, if you focus on good cybersecurity, compliance typically follows.

  • Gap Analysis: Now that you have your policies and procedures in place, it is time to review the PCI-DSS certification requirements in detail and take a close look at any potential compliance gaps. If you find these gaps then you need to establish a remediation plan for closing them. Once you have the remediation plan, it is a good idea to have a PCI QSA perform an independent gap analysis as well. This review will be much like a full PCI-DSS assessment but, in reality, more of a “practice run” that will ensure that a missed requirement will not be a hindrance on your way to obtaining the PCI compliance certification.

 

Step Four: Complete a Self-Assessment Questionnaire or Hire a PCI QSA

  • Self-Assessment Questionnaire and Attestation of Compliance (AOC): If you are Level 2, 3, or 4 you are now ready to fill out the Self-Assessment Questionnaire (SAQ). Think of the SAQ as a self-validation tool to assess security for cardholder data. It includes a set of yes-no questions for each PCI-DSS requirement applicable to your organization. As discussed earlier, you can go through the guidelines on how to fill out a SAQ and then fill it out yourself or obtain the assistance of a certified QSA. Once you’re done with the SAQ, you need to fill out  an Attestation of Compliance (AOC). The AOC is essentially a form that attests to the results of a PCI compliance assessment.

  • Report On Compliance (ROC) and Attestation of Compliance: If you are a Level 1 merchant or service provider, a Report on Compliance (ROC) is the final step on your path to getting the PCI-DSS certification for your organization. The ROC is mandatory only for all level 1 merchants undergoing a PCI-DSS compliance audit. To recap, a level 1 merchant is one who processes over 6 million transactions in a year. Both an AOC and ROC need to be completed by a certified PCI QSA after s/he has completed your annual PCI compliance audit. Think of it as a report card of sorts for your PCI-DSS certification compliance.

 

How can businesses demonstrate to customers that they have achieved PCI certification?

Once you have obtained the PCI-DSS certification, you should  make your customers aware of it. How do you demonstrate to them that you are capable of managing the risks associated with handling highly sensitive payment card data? Well, the Attestation of Compliance (AOC) and the Report on Compliance (ROC) prove that you are indeed PCI-DSS certified, so let your customers know about your PCI certification. The whole process of obtaining the PCI-DSS certification takes time but it gives your organization the ability to process payment cards – which in today’s world is a necessity. And, more importantly, the PCI-DSS certification helps  you lay the foundations for good cybersecurity practices which will take you a long way in thwarting cyberattacks that target payment card information.

Need help with PCI Compliance?

Learn more about our services

Intelligence and Insights

Effective Cyber Security Awareness Training for Employees in 2020

Effective Cyber Security Awareness Training for Employees in 2020

Cybersecurity is no longer a technical problem. It’s a people problem. And ensuring that people have the know-how to defend themselves and their organization against threats is a critical component of a robust cybersecurity program …
SOC 2 - Value Added Proposition

What is the real value of SOC 2 Compliance?

Major companies that outsource aspects of their data information operations can’t risk using vendors who don’t rigorously protect sensitive information. That’s why many organizations now demand that their vendors become SOC 2 compliant, a designation …
PCI DSS v4.0 – What you need to know now

PCI DSS v4.0 – What you need to know now

Some clients are already asking what to expect when the next version of the Payment Card Industry Data Security Standard is released next year. That’s no surprise, since decisions that are being made now by …